Mitigate Denial of Service (DoS) Attacks
A denial of service (DoS) attack is an attempt to make a computer resource unavailable to its intended users. This is often done by overloading the resource; for example:
- With a flood of requests from an external source.
- With a request for more information than the system can successfully deliver. For example, a JSON representation of the entire repository.
- By requesting a content page with an unlimited number of URLs, The URL can include a handle, some selectors, an extension, and a suffix - any of which can be modified..../en.html can also be requested as: For example,
- .../en.ExtensionDosAttack
- .../en.SelectorDosAttack.html
- .../en.html/SuffixDosAttack
There are many points of configuration for preventing such attacks, here we only discuss those directly related to AEM.
Configuring Sling to Prevent DoS
Sling is content-centric. This means that processing is focused on the content as each (HTTP) request is mapped onto content in the form of a JCR resource (a repository node):
- The first target is the resource (JCR node) holding the content.
- Secondly, the renderer, or script, is located from the resource properties in combination with certain parts of the request (e.g. selectors and/or the extension).
This approach makes Sling very powerful and very flexible, but as always it is the flexibility that needs to be carefully managed.
1. Incorporate controls at the application level; due to the number of variations possible a default configuration is not feasible.In your application you should:- Control the selectors in your application, so that you only serve the explicit selectors needed and return 404 for all others.
- Prevent the output of an unlimited number of content nodes.
2. Check the configuration of the default renderers, which can be a problem area.- In particular the JSON renderer which can transverse the tree structure over multiple levels.http://localhost:4502/.json could dump the whole repository in a JSON representation. This would cause significant server problems. For this reason Sling sets a limit on the number of maximum results. To limit the depth of the JSON rendering you can set the value for: JSON Max results (json.maximumresults) in the configuration for the Apache Sling GET Servlet. When this limit is exceeded the rendering will be collapsed. The default value for Sling within AEM is 200. For example, the request:
- As a preventive measure disable the other default renderers (HTML, plain text, XML). Again by configuring the Apache Sling GET Servlet.
Caution:Do not disable the JSON renderer, this is required for the normal operation of AEM.
Mitigate Against DoS Caused by Using Form Selectors
Note:
This mitigation should be performed only on AEM environments that are not using Forms.
Since AEM does not provide out of the box indexes for the FormChooserServlet, using form selectors in queries will trigger a costly repository traversal, usually grinding the AEM instance to a halt. Form selectors can be detected by the presence of the *.form.* string in queries.
In order to mitigate this, please follow the below steps:
- Go to the Web Console by pointing your browser to http://serveraddress:serverport/system/console/configMgr
- Search for Day CQ WCM Form Chooser Servlet
- After you click on the entry, disable the Advanced Search Require in the following window.
- Click Save.
Disable WebDAV
WebDAV should be disabled on both the author and publish environments. This can be done by stopping the appropriate OSGi bundles.
- Connect to the Felix Management Console running on: http://
: /system/console For example http://localhost:4503/system/console/bundles. - In the list of bundles, find the bundle named: Apache Sling Simple WebDAV Access to repositories (org.apache.sling.jcr.webdav)
- Click the stop button (in the Actions column) to stop this bundle.
- Again in the list of bundles, find the bundle named:Apache Sling DavEx Access to repositories (org.apache.sling.jcr.davex)
- Click the stop button to stop this b
undle.
Note:
A restart of AEM is not required.
No comments:
Post a Comment